We can expect to see many more lawsuits over breaches because most US health systems have abysmal data security and by design allow thousands of employees to access the sensitive health information of millions of patients. This immense scale of damage was simply impossible with paper systems.

Ironclad security is very difficult technically (think WikiLeaks) because health systems were architected to enable ‘open access’ by hundreds or thousands of employees to millions of sensitive health records.

Today, the only ‘barrier’ to health data access in the US are ‘pop-up’ screens that ask, “Do you have a right to access this patient’s information?’ This is hardly effective. Yes, of course, after-the-fact audit trails of access can be used to identify those who should not have seen a record. It is a very weak kind of data protection; in fact, today patients identify the majority of data breaches, not health IT systems.

When will the US get serious about building privacy-enhancing architectures where ONLY clinical staff or others who are directly involved in a patient’s care can access the patient’s data with informed consent. Systems that prevent access by MOST employees could prevent the vast majorities of data breaches and data thefts.

Using and building systems designed for privacy would be a FAR better use of the stimulus billions than how they are currently being spent: to buy and promote the use of HIT systems that cannot possibly protect health data from misuse and theft, and in fact is designed to spread health information to many unseen and unknown secondary corporate and government users.